A former employee at University of Pittsburgh Medical Center’s (UPMC) McKeesport hospital viewed the protected health information (PHI) of nearly 1,300 patients, the health system recently announced.
The employee, who held an administrative position as a "unit coordinator" according to media reports, accessed patient medical records, which included patients’ names, dates of birth, contact information, treatment and diagnosis information, and Social Security numbers. She did not have a valid reason to do so, which is a violation of the federal Health Insurance Portability and Accountability Act (HIPAA).
“We apologize for any concern or inconvenience that this may cause for our patients. I want to stress that patient care was never affected,” John Houston, UPMC’s vice president of privacy and information security, said in a statement. “Fortunately, one of our employees who became aware of the inappropriate activity alerted hospital management in early November, and we were able to track and stop this improper behavior.
UPMC says the woman was fired and local and federal authorities have been alerted. The health system says it is providing additional employee training and continuing its own review with the aim of enhancing its privacy policies and procedures. In terms of motive, the system did not have one.
“The former employee reported to UPMC that she did not store this information or use it for financial gain,” Houston said in a release.
Email Malware Causes Breach at UW Medicine
At the Seattle-based University of Washington (UW) Medicine, an employee opened an email attachment that contained malicious software (malware), which took control of the computer and had patient data stored on it.
The health system said the computer contain private health data on roughly 90,000 Harborview Medical Center and University of Washington Medical Center patients. The data included name, medical record number, other demographics (which may include address, phone number), dates of service, charge amounts for services received at UW Medicine, Social Security Number or HIC (Medicare) number, and date of birth.
According to UW Medicine, the patient information was not sought or targeted.